From 260ac4b3a2413c82ef3e6c3653672970d4979acf Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 14 Sep 2024 18:52:36 +0800
Subject: [PATCH] vim-patch:9.1.0728: [security]: heap-use-after-free in
 garbage collection with location list user data

Problem:  heap-use-after-free in garbage collection with location list
          user data.
Solution: Mark user data as in use when no other window is referencing
          the location list (zeertzjq)

fixes: neovim/neovim#30371
closes: vim/vim#15683

https://github.com/vim/vim/commit/be4bd189d23854ddf1d85ad291d8f7ad3f22b7a0
---
 src/nvim/quickfix.c                |  5 +++++
 test/old/testdir/test_quickfix.vim | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/nvim/quickfix.c b/src/nvim/quickfix.c
index 1fd0618e2b..9cb914a50d 100644
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@@ -6936,6 +6936,11 @@ bool set_ref_in_quickfix(int copyID)
       if (abort) {
         return abort;
       }
+
+      abort = mark_quickfix_user_data(win->w_llist_ref, copyID);
+      if (abort) {
+        return abort;
+      }
     }
   }
 
diff --git a/test/old/testdir/test_quickfix.vim b/test/old/testdir/test_quickfix.vim
index a708cabc26..0d08b76d94 100644
--- a/test/old/testdir/test_quickfix.vim
+++ b/test/old/testdir/test_quickfix.vim
@@ -4072,11 +4072,23 @@ func Test_ll_window_ctx()
   enew | only
 endfunc
 
+" Similar to the problem above, but for user data.
+func Test_ll_window_user_data()
+  call setloclist(0, [#{bufnr: bufnr(), user_data: {}}])
+  lopen
+  wincmd t
+  close
+  call test_garbagecollect_now()
+  call feedkeys("\<CR>", 'tx')
+  call test_garbagecollect_now()
+  %bwipe!
+endfunc
+
 " The following test used to crash vim
 func Test_lfile_crash()
   sp Xtest
   au QuickFixCmdPre * bw
-  call assert_fails('lfile', 'E40')
+  call assert_fails('lfile', 'E40:')
   au! QuickFixCmdPre
 endfunc